feat(scanning)!: Deploy gcr subscriptions for each project (#64)

tembleking · hayk99 · web-flow · commit 683241d24098 · 2021-10-20T16:03:43.000+02:00
The gcr topic is now assumed to be existing in all the projects that are
going to be scanned as part of the organization.

Last implementation relied on Eventarc triggers to retrieve the events from GCR / Artifact Registry into the Cloud Run deployment. That works for single-project deployments, but organizational deployments require the use of subscriptions sending the events to the HTTP endpoint of the Cloud Run deployment instead.

BREAKING CHANGE: This adds a new variable called project_scan_ids which specifies the IDs of the projects where a subscription must be created for the expected gcr topic in each project, and removes the create_gcr_topic variable which may be confusing to the users, since some of the scanned projects may or may not contain this topic, and verifying if it exists is not an option.

* feat(scanning): Add gcr subscription deployments for each project
* chore: remove unsed datas and fix scanning push url
* feat: Add project_scan_ids and remove create_gcr_topic variable
* fix(ci): Add gcr topic to organizational test
* fix(ci): Create gcr topic as part of single_project test
* feat: Mark project_scan_ids as required
* fix: Add ArtifactRegistry permissions to GCR pull

Co-authored-by: Hayk Kocharyan &lt;hayk.kocharyan@sysdig.com&gt;
diff --git a/README.md b/README.md
@@ -118,14 +118,14 @@ Notice that:
   $ terraform import 'module.secure-for-cloud_example_single-project.module.cloud_bench[0].module.trust_relationship["<YOUR_PROJECT_ID>"].google_iam_workload_identity_pool.pool' sysdigcloud
   $ terraform import 'module.secure-for-cloud_example_single-project.module.cloud_bench[0].module.trust_relationship["<YOUR_PROJECT_ID>"].google_iam_workload_identity_pool_provider.pool_provider' sysdigcloud/sysdigcloud
    ```
-  
+
 - Q2: Scanning does not seem to work<br/>
   A2: Verify that `gcr` topic exists. If `create_gcr_topic` is set to false and `gcr` topic is not found, the GCR scanning is ommited and won't be deployed. For more info see GCR PubSub topic.
 
 - Q3: Scanning, I get an error saying:
   ```
-  error starting scan runner for image ****: rpc error: code = PermissionDenied desc = Cloud Build API has not been used in project *** before or it is disabled. 
-  Enable it by visiting https://console.developers.google.com/apis/api/cloudbuild.googleapis.com/overview?project=*** then retry. 
+  error starting scan runner for image ****: rpc error: code = PermissionDenied desc = Cloud Build API has not been used in project *** before or it is disabled.
+  Enable it by visiting https://console.developers.google.com/apis/api/cloudbuild.googleapis.com/overview?project=*** then retry.
   If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry
   ```
   A3: Do as the error says and activate CloudBuild API. Check the list of all the required APIs that need to be activated per feature module.
diff --git a/examples/organization/README.md b/examples/organization/README.md
@@ -6,46 +6,49 @@ Sysdig workload will be deployed in the `project_id` defined in the required inp
 
 ![single project diagram](https://github.com/sysdiglabs/terraform-google-secure-for-cloud/blob/master/examples/organization/diagram-org.png?raw=true)
 
-
 ## Prerequisites
 
 You **must** have following **roles** in your GCP organization/project credentials
+
 * _Owner_
 * _Organization Admin_
 
 Besides, the following GCP **APIs must be enabled** to deploy resources correctly for:
 
 ### Cloud Connector
+
 * [Cloud Pub/Sub API](https://console.cloud.google.com/marketplace/product/google/pubsub.googleapis.com)
 * [Cloud Run API](https://console.cloud.google.com/marketplace/product/google/run.googleapis.com)
 * [Eventarc API](https://console.cloud.google.com/marketplace/product/google/eventarc.googleapis.com)
 
 ### Cloud Scanning
+
 * [Cloud Pub/Sub API](https://console.cloud.google.com/marketplace/product/google/pubsub.googleapis.com)
 * [Cloud Run API](https://console.cloud.google.com/marketplace/product/google/run.googleapis.com)
 * [Eventarc API](https://console.cloud.google.com/marketplace/product/google/eventarc.googleapis.com)
 * [Secret Manger API](https://console.cloud.google.com/marketplace/product/google/secretmanager.googleapis.com)
 * [Cloud Build API](https://console.cloud.google.com/marketplace/product/google/cloudbuild.googleapis.com)
 * [Identity and access management API](https://console.cloud.google.com/marketplace/product/google/iam.googleapis.com)
 
- ### Cloud Benchmarks
+### Cloud Benchmarks
+
 * [Identity and access management API](https://console.cloud.google.com/marketplace/product/google/iam.googleapis.com)
 * [IAM Service Account Credentials API](https://console.cloud.google.com/marketplace/product/google/iamcredentials.googleapis.com)
 * [Cloud Resource Manager API](https://console.cloud.google.com/marketplace/product/google/cloudresourcemanager.googleapis.com)
 * [Security Token Service API](https://console.cloud.google.com/marketplace/product/google/sts.googleapis.com)
 
-
 ## Usage
 
 For quick testing, use this snippet on your terraform files
 
-```
+```terraform
 module "secure-for-cloud_example_organization" {
-  source  = "sysdiglabs/secure-for-cloud/google//examples/organization"
+  source = "sysdiglabs/secure-for-cloud/google//examples/organization"
 
-  sysdig_secure_api_token   = "00000000-1111-2222-3333-444444444444"
-  project_id                = "your-project-id"
-  organization_domain       = "your-domain.com"
+  project_id              = "your-project-id"
+  project_scan_ids        = ["project-to-scan-1", "project-to-scan-2"]
+  sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
+  organization_domain     = "your-domain.com"
 }
 ```
 
@@ -93,11 +96,11 @@ module "secure-for-cloud_example_organization" {
 |------|-------------|------|---------|:--------:|
 | <a name="input_organization_domain"></a> [organization\_domain](#input\_organization\_domain) | Organization domain. e.g. sysdig.com | `string` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | Organization member project ID where the secure-for-cloud workload is going to be deployed | `string` | n/a | yes |
+| <a name="input_project_scan_ids"></a> [project\_scan\_ids](#input\_project\_scan\_ids) | Projects where a subscription must be created to pull events from their GCR topics. Warning, the topic called `gcr` must already exist in each provided project. | `list(string)` | n/a | yes |
 | <a name="input_sysdig_secure_api_token"></a> [sysdig\_secure\_api\_token](#input\_sysdig\_secure\_api\_token) | Sysdig's Secure API Token | `string` | n/a | yes |
 | <a name="input_benchmark_project_ids"></a> [benchmark\_project\_ids](#input\_benchmark\_project\_ids) | Google cloud project IDs to run Benchmarks on | `list(string)` | `[]` | no |
 | <a name="input_benchmark_regions"></a> [benchmark\_regions](#input\_benchmark\_regions) | List of regions in which to run the benchmark. If empty, the task will contain all regions by default. | `list(string)` | `[]` | no |
 | <a name="input_benchmark_role_name"></a> [benchmark\_role\_name](#input\_benchmark\_role\_name) | The name of the Service Account that will be created. | `string` | `"sysdigcloudbench"` | no |
-| <a name="input_create_gcr_topic"></a> [create\_gcr\_topic](#input\_create\_gcr\_topic) | Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic). | `bool` | `true` | no |
 | <a name="input_deploy_bench"></a> [deploy\_bench](#input\_deploy\_bench) | whether benchmark module is to be deployed | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Zone where the stack will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Max number of instances for the workloads | `number` | `1` | no |
diff --git a/examples/organization/main.tf b/examples/organization/main.tf
@@ -92,7 +92,11 @@ resource "google_organization_iam_custom_role" "org_gcr_image_puller" {
   description = "Allows pulling GCR images from all accounts in the organization"
   permissions = [
     "storage.objects.get",
-    "storage.objects.list"
+    "storage.objects.list",
+    "artifactregistry.repositories.get",
+    "artifactregistry.repositories.downloadArtifacts",
+    "artifactregistry.tags.list",
+    "artifactregistry.tags.get"
   ]
 }
 
@@ -129,9 +133,10 @@ module "cloud_scanning" {
   verify_ssl                 = local.verify_ssl
 
   cloud_scanning_sa_email  = google_service_account.scanning_sa.email
-  create_gcr_topic         = var.create_gcr_topic
   scanning_pubsub_topic_id = module.connector_organization_sink.pubsub_topic_id
   project_id               = var.project_id
+  create_gcr_topic         = false # We assume all the project_scan_ids have a topic created called gcr
+  project_scan_ids         = var.project_scan_ids
 
   max_instances = var.max_instances
 }
diff --git a/examples/organization/variables.tf b/examples/organization/variables.tf
@@ -14,6 +14,11 @@ variable "project_id" {
   description = "Organization member project ID where the secure-for-cloud workload is going to be deployed"
 }
 
+variable "project_scan_ids" {
+  type        = list(string)
+  description = "Projects where a subscription must be created to pull events from their GCR topics. Warning, the topic called `gcr` must already exist in each provided project."
+}
+
 # --------------------------
 # optionals, with defaults
 # --------------------------
@@ -46,19 +51,6 @@ variable "max_instances" {
   default     = 1
 }
 
-variable "create_gcr_topic" {
-  type        = bool
-  description = "Deploys a PubSub topic called `gcr` as part of this stack, which is needed for GCR scanning. Set to `true` only if it doesn't exist yet. If this is not deployed, and no existing `gcr` topic is found, the GCR scanning is ommited and won't be deployed. For more info see [GCR PubSub topic](https://cloud.google.com/container-registry/docs/configuring-notifications#create_a_topic)."
-  default     = true
-}
-
-variable "deploy_bench" {
-  type        = bool
-  description = "whether benchmark module is to be deployed"
-  default     = true
-}
-
-
 variable "benchmark_regions" {
   type        = list(string)
   description = "List of regions in which to run the benchmark. If empty, the task will contain all regions by default."
@@ -76,3 +68,9 @@ variable "benchmark_role_name" {
   description = "The name of the Service Account that will be created."
   default     = "sysdigcloudbench"
 }
+
+variable "deploy_bench" {
+  type        = bool
+  description = "whether benchmark module is to be deployed"
+  default     = true
+}
diff --git a/examples/single-project/README.md b/examples/single-project/README.md
@@ -36,12 +36,13 @@ Besides, the following GCP **APIs must be enabled** to deploy resources correctl
 
 For quick testing, use this snippet on your terraform files
 
-```
+```terraform
 module "secure-for-cloud_example_single-project" {
-  source  = "sysdiglabs/secure-for-cloud/google//examples/single-project"
+  source = "sysdiglabs/secure-for-cloud/google//examples/single-project"
+
 
-  sysdig_secure_api_token   = "00000000-1111-2222-3333-444444444444"
-  project_id                = "your-project-id"
+  sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
+  project_id              = "your-project-id"
 }
 ```
 
diff --git a/examples/single-project/main.tf b/examples/single-project/main.tf
@@ -87,6 +87,7 @@ module "cloud_scanning" {
   scanning_pubsub_topic_id = module.scanning_project_sink.pubsub_topic_id
   create_gcr_topic         = var.create_gcr_topic
   project_id               = var.project_id
+  project_scan_ids         = [var.project_id]
 
   secure_api_token_secret_id = module.secure_secrets.secure_api_token_secret_name
   sysdig_secure_api_token    = var.sysdig_secure_api_token
diff --git a/modules/services/cloud-scanning/README.md b/modules/services/cloud-scanning/README.md
@@ -5,14 +5,16 @@ deployment that trigger image scans based on changes in your infrastructure.
 
 ## Usage
 
-```hcl
+```terraform
 module "cloud_scanning_gcp" {
   source = "sysdiglabs/secure-for-cloud/google/services/cloud-scanning"
 
-  create_gcr_topic        = true
-  # Set to "false" if there's an existing PubSub topic called "gcr"
   sysdig_secure_api_token = "00000000-1111-2222-3333-444444444444"
   sysdig_secure_endpoint  = "https://secure.sysdig.com"
+  project_scan_ids        = ["project-id-to-scan"]
+
+  # Set to "false" if there's an existing PubSub topic called "gcr"
+  create_gcr_topic = true
 }
 ```
 
@@ -40,15 +42,14 @@ No modules.
 |------|------|
 | [google_cloud_run_service.cloud_scanning](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service) | resource |
 | [google_cloud_run_service_iam_member.run_invoker](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_service_iam_member) | resource |
-| [google_eventarc_trigger.gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/eventarc_trigger) | resource |
 | [google_eventarc_trigger.trigger](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/eventarc_trigger) | resource |
 | [google_project_iam_member.builder](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.event_receiver](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.service_account_user_itself](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_project_iam_member.token_creator](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_pubsub_subscription.gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_topic.gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
 | [google_project.project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
-| [google_pubsub_topic.gcr](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/pubsub_topic) | data source |
 
 ## Inputs
 
@@ -66,6 +67,7 @@ No modules.
 | <a name="input_location"></a> [location](#input\_location) | Zone where the cloud scanning will be deployed | `string` | `"us-central1"` | no |
 | <a name="input_max_instances"></a> [max\_instances](#input\_max\_instances) | Max number of instances for the Cloud Scanning | `number` | `1` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name to be assigned to all child resources. A suffix may be added internally when required. Use default value unless you need to install multiple instances | `string` | `"sfc-cloudscanning"` | no |
+| <a name="input_project_scan_ids"></a> [project\_scan\_ids](#input\_project\_scan\_ids) | Projects where a subscription must be created to pull events from their GCR topics to scan their images. Warning, a topic called `gcr` must already exist in each provided project. | `list(string)` | `[]` | no |
 | <a name="input_verify_ssl"></a> [verify\_ssl](#input\_verify\_ssl) | Verify the SSL certificate of the Secure endpoint | `bool` | `true` | no |
 
 ## Outputs
diff --git a/modules/services/cloud-scanning/gcr.tf b/modules/services/cloud-scanning/gcr.tf
@@ -1,6 +1,4 @@
 locals {
-  gcr_topic_id = var.create_gcr_topic ? google_pubsub_topic.gcr[0].id : data.google_pubsub_topic.gcr.id
-
   # note
   # topic name is hardcoded by GCP and cannot be changed
   # resource cannot honor var.name
@@ -9,12 +7,6 @@ locals {
   gcr_topic_name = "gcr"
 }
 
-data "google_pubsub_topic" "gcr" {
-  project = var.project_id
-
-  name = local.gcr_topic_name
-  # MUST exist in the infra of the customer, that's the only topic GCR will publish events to.
-}
 
 # FIXME: is this the right place?
 # Required to execute cloud build runs with this same service account
@@ -33,27 +25,22 @@ resource "google_pubsub_topic" "gcr" {
   name  = local.gcr_topic_name
 }
 
-#new
-resource "google_eventarc_trigger" "gcr" {
-  count = length(local.gcr_topic_id[*]) > 0 ? 1 : 0
-  # We won't try to deploy this trigger if the GCR topic doesn't exist
-  name            = "${var.name}-trigger-gcr"
-  location        = var.location
-  service_account = var.cloud_scanning_sa_email
-  matching_criteria {
-    attribute = "type"
-    value     = "google.cloud.pubsub.topic.v1.messagePublished"
-  }
-  destination {
-    cloud_run_service {
-      service = google_cloud_run_service.cloud_scanning.name
-      region  = var.location
-      path    = "/gcr_scanning"
+
+resource "google_pubsub_subscription" "gcr" {
+  for_each = toset(var.project_scan_ids)
+  name     = "${var.name}-gcr-${each.key}"
+  topic    = "projects/${each.key}/topics/${local.gcr_topic_name}"
+
+  ack_deadline_seconds = 10
+
+  push_config {
+    push_endpoint = "${google_cloud_run_service.cloud_scanning.status[0].url}/gcr_scanning"
+    oidc_token {
+      service_account_email = var.cloud_scanning_sa_email
     }
   }
-  transport {
-    pubsub {
-      topic = local.gcr_topic_id
-    }
+  retry_policy {
+    minimum_backoff = "10s"
+    maximum_backoff = "300s"
   }
 }
diff --git a/modules/services/cloud-scanning/variables.tf b/modules/services/cloud-scanning/variables.tf
@@ -75,3 +75,9 @@ variable "max_instances" {
   description = "Max number of instances for the Cloud Scanning"
   default     = 1
 }
+
+variable "project_scan_ids" {
+  type        = list(string)
+  description = "Projects where a subscription must be created to pull events from their GCR topics to scan their images. Warning, a topic called `gcr` must already exist in each provided project."
+  default     = []
+}
diff --git a/test/fixtures/organization/main.tf b/test/fixtures/organization/main.tf
@@ -4,14 +4,18 @@ resource "random_string" "random" {
   upper   = false
 }
 
+resource "google_pubsub_topic" "gcr" {
+  project = var.project_id
+  name    = "gcr"
+}
 
 module "sfc_example_organization" {
   source = "../../../examples/organization"
 
   organization_domain     = var.organization_domain
   sysdig_secure_api_token = var.sysdig_secure_api_token
-  create_gcr_topic        = false
   name                    = "sfc${random_string.random.result}"
   project_id              = var.project_id
+  project_scan_ids        = [var.project_id]
   deploy_bench            = false
 }
diff --git a/test/fixtures/single-project/.kitchen/logs/kitchen.log b/test/fixtures/single-project/.kitchen/logs/kitchen.log
diff --git a/test/fixtures/single-project/main.tf b/test/fixtures/single-project/main.tf
